[Snort-sigs] BIttorrent Signature updates

Nigel Houghton nigel at ...435...
Thu Jul 8 07:36:52 EDT 2004


On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> I've update Chich Thierrys Bittorrent rules a bit. I've seen and had a 
> number of falses reported, especially in backup streams from things like 
> veritas, etc.
> 
> I've added port ranges to them.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"BLEEDING-EDGE P2P 
> BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
> flags:PA; classtype:policy-violation; sid:2000334; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6999 (msg:"BLEEDING-EDGE 
> P2P BitTorrent peer sync"; content:"|0000000d0600|"; offset:0; depth:12; 
> flags:PA; classtype:policy-violation; sid:2000357; rev:1;)

Here is the port information from the Bittorrent protocol [0]:

  The port number this peer is listening on. Common behavior is
	for a downloader to try to listen on port 6881 and if
	that port is taken try 6882, then 6883, etc. and give up
	after 6889.

Not sure where you got your port information from, but it would seem your 
port range is a little generous. I might go for a rule to seek out
connections to a listener on my home net, that might focus things a little
more.

[0] http://bitconjurer.org/BitTorrent/protocol.html

> 
> I think this will eliminate the falses. Please let me know if this makes 
> them ineffective.
> 
> Matt
 
-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

"Dude, dolphins are intelligent and friendly!" -- Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman




More information about the Snort-sigs mailing list